Breaking News is the place in the Spiceworks Community to share and discuss current events related to IT. Learn more about how to submit and get your stories featured on the home page in our Breaking News guidelines.

Last week brought news of a critical Cisco Adaptive Security Appliance remote code execution vulnerability, prompting many IT departments to start preparing to patch affected Cisco devices. This vulnerability (which scored a 10/10 on the Common Vulnerability Scoring System) impacts many popular Cisco ASA devices, so the effects are far reaching. And in a Spiceworks poll, approximately half of IT pros told us their organization is using affected devices.

On Feb. 5, new details came out about this vulnerability that increases the scope of affected devices. In their advisory, Cisco clarified that they "identified additional attack vectors and features that are affected by this vulnerability. In addition, it was also found that the original fix was incomplete so new fixed code versions are now available."

Scope of vulnerability has increased

So if you had assumed you were protected before because your firmware was up to date, you very possibly might need to update your firmware again to protect your network fully. Additionally, assumptions that might have been made last week might no longer be applicable.

For example, the advisory previously stated that a "vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code." The revised statement now reads that "vulnerability in the XML parser of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. It was also possible that the ASA could stop processing incoming Virtual Private Network (VPN) authentication requests due to a low memory condition."

Additionally, Cisco has listed more products in their list of vulnerable products, so you should double check to see whether more devices on your network are affected. Also, it was previously stated that the vulnerability only applied to version 6.2.2 of the FTD software. That statement now says that "this vulnerability applies to all FTD releases before the first fixed software release. The FTD release contains both Firepower and ASA code."

Below you'll find the current (as of Feb. 5) charts from the Cisco site that outline the affected products, vulnerable features, and fixed releases you'll need to upgrade to.

17 Replies

Life was fine until about 6 months ago when our site-to-site VPNs started getting "flakey." Instead of negotiating a tunnel and having it work immediately, as it used to do, the tunnel will open/collapse 10, 20, or more times before it stabilizes. This latest patch hasn't improved things.

I know it's not the NSA hacking in - we give them everything directly. Probably the ChiComs.

Well that's just great. We patched ours last night, and then they released this three hours after... Well played Cisco.

think of it this way, you get another fun time trying to organise downtime at the office!

Ofsted gestapo are in this week so that ain't happening. It's just going to have to wait for a bit methinks

OFSTED?!?! We just had the VAT man (woman) in and i don't think she smiled once.

An Ofsted report of my primary school from the 90s once read pretty much along these lines "these racist individuals need to integrate more with people from other backgrounds and creeds" Simply because there was no one in the entire school from any other background other than white british and ofsted had to write something. I come from a small little backwater provincial town in a county with no motorways or road system of any note....if we could integrate we would!!

"The Cisco ASA-brand was also hacked by Equation Group. The vulnerability requires that both SSH and SNMP are accessible to the attacker. The codename given to this exploit by NSA was EXTRABACON. The bug and exploit (CVE-2016-6366[19]) was also leaked by The ShadowBrokers, in the same batch of exploits and backdoors. According to Ars Technica, the exploit can easily be made to work against more modern versions of Cisco ASA than what the leaked exploit can handle.

I can honestly say I've never used a worse web site than Cisco for trying to find a "critical" software patch for our devices, or for identifying exactly what interim release version is actually installed.

So, does this still only affect SSL and webvpn? Or now that it's a general XML bug do I need to schedule downtime on these devices that I'm planning to replace soon anyway?

CrazyLefty wrote:

Is there any kind of traffic patterns we can look out for to determine if we have been compromised?

Hi there, while I have reasonable guesses, I think these questions are best directed towards someone at Cisco. For example, I just now saw that Matthew (Cisco) had written a similar post to this one, and is likely much more knowledgeable on the subject than myself.

So, does this still only affect SSL and webvpn? Or now that it's a general XML bug do I need to schedule downtime on these devices that I'm planning to replace soon anyway?

CrazyLefty wrote:

Is there any kind of traffic patterns we can look out for to determine if we have been compromised?

Hi there, while I have reasonable guesses, I think these questions are best directed towards someone at Cisco. For example, I just now saw that Matthew (Cisco) had written a similar post to this one, and is likely much more knowledgeable on the subject than myself.